FortiOS 5.6.1 New Security Fabric features

New Security Fabric features

In FortiOS 5.6, the Security Fabric (previously known as the Cooperative Security Fabric) has been expanded in several ways to add more functionality and visibility.

One of the most important functional changes is that FortiAnalyzer is now a required part of the Security Fabric configuration. Also, two important new features, Security Fabric Audit and Fabric Score, have been added to provide a method to continually monitor and improve the Security Fabric configuration.

Many changes have been made through FortiView to improve the visibility of the Security Fabric. More information is now displayed and you can access downstream FortiGates directly from the root FortiGate’s FortiView display.

Other smaller improvements have been made throughout the Security Fabric, with a focus on improving communication between devices.

In FortiOS 5.6.1, the new updated GUI design consolidates the Security Fabric features together under a new menu and has many new topological changes to provide greater visibility into the connectivity of your networked devices. This includes adding more Fortinet products to the topology and widgets. Other topology improvements include enhanced IPsec VPN detection (which now includes detection of downstream FortiGates) and support for SD-WAN. Smaller changes have also been made to add more information to device tooltip alerts in the Physical and Logical Topology views.

Setting up the Security Fabric in FortiOS 5.6

See the following FortiGate Cookbook recipes to get started in setting up the Security Fabric in FortiOS 5.6:

l Installing a FortiGate in NAT/Route mode l Security Fabric installation

Security Fabric between remote networks by enabling FortiTelemetry for IPsec VPN interfaces

You can now enable FortiTelemetry for IPsec VPN interfaces. The Security Fabric can now detect the downstream FortiGate through the IPsec VPN interface. This allows you to send FortiTelemetry communication over a Gateway-to-Gateway IPsec VPN tunnel between two remote networks. One of the networks would contain the root FortiGate and the network at the other end of the IPsec VPN tunnel can connect to the root FortiGate’s Security Fabric.

In the GUI, to enable FortiTelemetry

  1. Go to Network > Interfaces and edit your IPsec VPN interface.
  2. Under Administrative Access enable FortiTelemetry.


New Security Fabric Security Fabric between remote networks by enabling FortiTelemetry for IPsec VPN features          interfaces

Your IPsec VPN interface will automatically be added to the FortiTelemetry enabled interface list under Security Fabric > Settings.

In the CLI, enter the following commands:

config system interface edit <vpn_name> set fortiheartbeat enable


Re-designed Security Fabric setup

A new updated GUI menu consolidates the Security Fabric features in one location. This includes Physical Topology, Logical Topology, Audit, and Settings. For more details, see the illustration below:

Security Fabric between remote networks by enabling FortiTelemetry for IPsec VPN interfaces New Security Fabric features

Improved Security Fabric Settings page

The Security Fabric Settings page has been updated to act as a centralized location for you to enable connectivity to other Fortinet products. Navigate to Security Fabric > Settings.

Changes to the Settings page include the following:

l The previous Enable Security Fabric option has been replaced with an option to enable FortiGate Telemetry. l The previous Downstream FortiGates option has been replaced with Topology to show multiple devices.

See the screen shot below:

Security Fabric dashboard widgets

Security Fabric dashboard widgets

New dashboard widgets for the Security Fabric put information about the status of the Security Fabric at your fingertips when you first log into your FortiGate.

The FortiGate dashboard widget has been updated to include the following Fortinet products: FortiGate (core), FortiAnalyzer (core), FortiSwitch, FortiClient, FortiSandbox, and FortiManager. See the screen shot below:

You can hover over the icons along the top of the Security Fabric widget to get a quick view of the status of the Security Fabric. Available information includes the FortiTelemetry status and the status of various components of in the Security Fabric.

The Security Fabric Score widget shows the Security Fabric Audit score for the Security Fabric and allows you to apply recommended changes right from the dashboard.


Physical and Logical FortiView improvements

Physical and Logical FortiView improvements

The FortiView Physical and Logical Topology pages now display the following improvements:

  • Shows both FortiGates in an HA configuration l Shows FortiAPs l Lists FortiAnalyzer and FortiSandbox as components of the Security Fabric l Highlights the current FortiGate l Displays Link Usage in different colors l Ranks Endpoints by FortiClient Vulnerability Score and by Threat Score ( see below, for more information) l Displays user avatars l Recognizes servers as a device type
  • Introduces a search bar to help locate specific devices in the Security Fabric

Updated Physical and Logical Topology legend

On the Physical Topology and Logical Topology pages, the Security Fabric legend has been updated. See the screenshot below:

Physical and Logical FortiView improvements

New option to minimize the Topology

This new feature allows you to minimize portions of the Physical and Logical Topology. This makes it easy to view your entire topology, or minimize portions to focus in on a specific area. See the screenshot below:

Security Fabric Topology shows new resource information alerts

The enhanced Security Fabric topology now shows CPU Usage and Memory Usage alerts in the device information tooltip. It also displays a warning if the FortiGate is in conserve mode. Note that the CPU usage, memory usage and conserve mode data are drawn from the data that was last loaded from the FortiGate, not real-time data.

You can see the new CPU Usage and Memory Usage fields shown in the tooltip below:

Physical and Logical FortiView improvements

The Conserve mode warning is shown below:

SD-WAN information added to Security Fabric topology

The Security Fabric topology now includes SD-WAN. Enhancements include greater visibility into where the data comes from and goes to, link saturation indicators, and detailed tooltip explanations. The following SD-WAN information has been integrated into the Security Fabric topology:

  • The tooltip for the SD-WAN interface now includes load balancing settings. l In the Security Fabric Logical Topology, SD-WAN and its interface members will appear above all interfaces.
  • If connected to an upstream FortiGate, one link between the exact SD-WAN member and the upstream FortiGate will appear.
  • If connected to a destination bubble, links between each enabled member and the destination bubble appear.
  • Interface bandwidth and link utilization for other interfaces (WAN role interface) have been temporarily removed and will be added back in later.
  • Fixes have been made to show vulnerabilities for multiple MAC addresses (402495) and to show the FortiSwitch serial and port (389158).

For more details see the screenshot below:


FortiCache support for the                      (435830)

SD-WAN Monitor Support added to Security Fabric (417210)

The Security Fabric now retrieves monitor information from all members of the Security Fabric and displays it in the GUI of the root FortiGate. Support was added for the Routing Monitor, DHCP Monitor and User Quarantine Monitor.

You can use the new drop down menu shown below to select the Security Fabric members:

FortiCache support for the Security Fabric (435830)

FortiGates in the Security Fabric can now use FortiCache as a remote cache service. Previously, FortiCache was supported via WCCP re-direct only, but now FortiGates can use it as a local cache rather than redirecting via WCCP.

In the GUI, follow the steps below:

  1. Go to Security Fabric > Settings and enable HTTP Service.

Enhanced Security Fabric audit tests for FortiGuard licenses (409156)

  1. Set Device Type to FortiCache and add the IP addresses of the FortiCache devices.
  2. You can also select Authentication and add a password if required. See the screenshot below:

In the CLI, enter the following commands:

config wanopt forticache-service set status enable

set local-cache-id <local-cache-id> set remote-forticache-id <remote-forticache-id> set remote-forticache-ip <remote-forticache-ip>


l status – Enable/disable using FortiCache as web-cache storage l disable – Use local disks as web-cache storage l enable – Use a remote FortiCache as web-cache storage l local-cache-id – The cache ID that this device uses to connect to the remote FortiCache l remote-forticache-id – The ID of the FortiCache that the device connects to l remote-forticache-ip – The IP address of the FortiCache the device connects to

Enhanced Security Fabric audit tests for FortiGuard licenses (409156)

The Security Fabric audit now has separate audit tests for FortiGuard licenses based on whether the FortiGuard license is valid, expired, never been activated, or temporarily unavailable. Previously, the audit test performed one batch test on all FortiGuard licenses, regardless of the status of the licenses. Recommendations for individual licenses are also provided in the GUI tooltips.

You can see the new breakdown of pass or fail actions shown below:

  • License valid = pass l License expired = fail l License never activated = fail
  • License is unavailable (connection issue with FortiGuard) = pass

If a required Feature Visibility is disabled, the audit test for it will not show vulnerabilities. The audit will show a score of zero (or a pass). Go to System > Feature Visibility (previously the Feature Select menu) to make any changes.

FortiClient Vulnerability Score

In the GUI, follow the steps below to check the status of your FortiGuard licenses:

  1. Go to Security Fabric > Audit to check the status of your FortiGuard licenses.
  2. Follow the steps in the Security Fabric Audit wizard.
  3. Expand Firmware & Subscriptions, and look at the FortiGuard License Subscriptions section to verify whether any recommended action is required. See the example below:

FortiClient Vulnerability Score

Endpoints in the Security Fabric topology are now ranked by their FortiClient Vulnerability Score. This score is calculated by the severity of vulnerabilities found on the endpoint:

l critical vulnerability = 100 points l high vulnerability = 50 points l medium vulnerability = 5 points l low vulnerability = 2 points l info vulnerability = 1 point

FortiView Consolidation

Information about the Security Fabric can now be seen throughout the FortiView dashboards on the upstream FortiGate, when the real-time view is used.

  • You can right-click on an entry and select View Aggregated Details to see more information.
  • The upstream FortiGate filters information to avoid counting traffic from the same hosts multiple times on each hop.

The upstream FortiGate also now has the option to end downstream FortiGate sessions or quarantine endpoints that connect to downstream FortiGates.

Remote login to downstream FortiGates

Remote login to downstream FortiGates

You can now log into downstream FortiGates from the upstream FortiGate, by right-clicking on the downstream FortiGate when viewing the Security Fabric’s topology using FortiView.

Logging Consolidation and Improvements

Several changes have been made to improve logging for a Security Fabric.

Sending all logs to a single FortiAnalyzer

By default, all FortiGates in the Security Fabric now send logs to a single FortiAnalyzer. The connection to the FortiAnalyzer is configured on the upstream FortiGate, then the settings are pushed to all other FortiGates.

In FortiOS 5.6, a FortiAnalyzer is required for the root FortiGate in the Security Fabric; however, downstream devices can be configured to use other logging methods through the CLI:

config system csf set logging-mode local


Data Exchange with FortiAnalyzer

The following information about the Security Fabric configuration is now sent to the FortiAnalyzer:

l Topology info l Interface roles l LAT / LNG info l Device asset tags Device Tree

Retrieving Monitor Information

Monitors on the upstream FortiGate, such as the VPN Monitor, Route Monitor, and User Quarantine, can now view the information from downstream devices. You can use the button in the top right corner of the screen to change the FortiGate information that is displayed.

Log Settings

Log statistics for each FortiGate in the Security Fabric are now shown when you go to Log & Report > Log Settings.

Device Tree

The entire Security Fabric tree is now updated upward, and each node has an updated state of the whole subtree. The content is saved in the local file and upon request from the GUI or a diagnose command (dia sys csf downstream) it can be retrieved.


What is the Security Fabric Audit?

Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To Buy Your Fortinet Hardware From The Fortinet GURU